https://community.splunk.com/t5/Getting-Data-In/How-to-process-event-exact-same-for-events-from-multiple-event/m-p/33851#M6091 <P>The type of re-use you're talking about <EM>does</EM> occur in the transforms. While it's true that you have to reference each transform (i.e., "user-account-change") for each applicable sourcetype in props.conf, you're reusing the regular expression rule itself which appears in transforms.conf. Specifically with regards to Windows Event Logs, you might consider checking the source of these events in your results. It may be possible to use a single props.conf stanza (like <CODE>[source::(WMI:WinEventLog|WinEventLog)...]</CODE> based on source--think input path). An example of this is found in the <A href="http://splunk-base.splunk.com/apps/28933/splunk-for-windows-technology-add-on">Splunk for Windows Technology Add-on</A>.</P> Tue, 24 Apr 2012 18:26:30 GMT sowings 2012-04-24T18:26:30Z https://community.splunk.com/t5/Getting-Data-In/How-to-process-event-exact-same-for-events-from-multiple-event/m-p/33847#M6087 <P>Let us say you have following lines in your props.conf file:</P> <P>[WinEventLog:Security]</P> <P>REPORT-common = user-account-change</P> <P>REPORT-win-2k3 = group-type-change</P> <P>You have another event source type ABC which generates exact same events as WinEvnetLog:Security so you want to apply the same transforms to it. You can do so by adding following lines to your props.conf file:</P> <P>[ABC]</P> <P>REPORT-common = user-account-change</P> <P>REPORT-win-2k3 = group-type-change</P> <P>This duplicates these REPORT-* entries. Is it possible to support more than one source types in props.conf for the same transform items? An example is:</P> <P>[WinEventLog:Security],[ABC]</P> <P>REPORT-common = user-account-change</P> <P>REPORT-win-2k3 = group-type-change</P> Mon, 23 Apr 2012 22:36:39 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-process-event-exact-same-for-events-from-multiple-event/m-p/33847#M6087 tonopahtaos 2012-04-23T22:36:39Z https://community.splunk.com/t5/Getting-Data-In/How-to-process-event-exact-same-for-events-from-multiple-event/m-p/33848#M6088 <P>To the best of my knowledge that is not possible. Also, as far as I know, there are no other applications than the Windows OS that produce the same kind of events as WinEventLog:Security.</P> <P>Are you sure that you should have different sourcetypes for this data? If the format of the events are the same, then it generally IS the same sourcetype. That is pretty much the idea behind sourcetypes. Then you can have just one props.conf stanza.</P> <P>/kristian</P> Tue, 24 Apr 2012 08:17:40 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-process-event-exact-same-for-events-from-multiple-event/m-p/33848#M6088 kristian_kolb 2012-04-24T08:17:40Z https://community.splunk.com/t5/Getting-Data-In/How-to-process-event-exact-same-for-events-from-multiple-event/m-p/33849#M6089 <P>The WMI:WinEventLog:Security has exact same events as WinEventLog:Security.</P> Tue, 24 Apr 2012 16:58:51 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-process-event-exact-same-for-events-from-multiple-event/m-p/33849#M6089 tonopahtaos 2012-04-24T16:58:51Z https://community.splunk.com/t5/Getting-Data-In/How-to-process-event-exact-same-for-events-from-multiple-event/m-p/33850#M6090 <P>The WMI:WinEventLog:Security has exact same events as WinEventLog:Security.</P> Tue, 24 Apr 2012 16:59:14 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-process-event-exact-same-for-events-from-multiple-event/m-p/33850#M6090 tonopahtaos 2012-04-24T16:59:14Z https://community.splunk.com/t5/Getting-Data-In/How-to-process-event-exact-same-for-events-from-multiple-event/m-p/33851#M6091 <P>The type of re-use you're talking about <EM>does</EM> occur in the transforms. While it's true that you have to reference each transform (i.e., "user-account-change") for each applicable sourcetype in props.conf, you're reusing the regular expression rule itself which appears in transforms.conf. Specifically with regards to Windows Event Logs, you might consider checking the source of these events in your results. It may be possible to use a single props.conf stanza (like <CODE>[source::(WMI:WinEventLog|WinEventLog)...]</CODE> based on source--think input path). An example of this is found in the <A href="http://splunk-base.splunk.com/apps/28933/splunk-for-windows-technology-add-on">Splunk for Windows Technology Add-on</A>.</P> Tue, 24 Apr 2012 18:26:30 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-process-event-exact-same-for-events-from-multiple-event/m-p/33851#M6091 sowings 2012-04-24T18:26:30Z https://community.splunk.com/t5/Getting-Data-In/How-to-process-event-exact-same-for-events-from-multiple-event/m-p/33852#M6092 <P>[source::(WMI:WinEventLog|WinEventLog)...] is working for me. </P> <P>I tried using regex yesterday and were not lucky. The ... is the key to work. </P> <P>Thanks a lot.</P> Tue, 24 Apr 2012 18:55:32 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-process-event-exact-same-for-events-from-multiple-event/m-p/33852#M6092 tonopahtaos 2012-04-24T18:55:32Z https://community.splunk.com/t5/Getting-Data-In/How-to-process-event-exact-same-for-events-from-multiple-event/m-p/33853#M6093 <P>No problem. Note that it seems that the "..." is only available for matches beginning with [source: ], kind of like using ... in inputs.conf.</P> Tue, 24 Apr 2012 19:00:30 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-process-event-exact-same-for-events-from-multiple-event/m-p/33853#M6093 sowings 2012-04-24T19:00:30Z